hxxps://www[.]google[.]co[.]uk/?safe=active&ssui=on

Resubmissions

02-07-2024 08:51

240702-ksk5lsyemm 10

02-07-2024 08:04

240702-jyqrlstcke 6

Analysis

max time kernel
916s
max time network
1597s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-07-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.co.uk/?safe=active&ssui=on

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

105 raw.githubusercontent.com
106 raw.githubusercontent.com

flow	ioc
105	raw.githubusercontent.com
106	raw.githubusercontent.com

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643811243318239"	chrome.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b3a9448c56ccda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{0F321E45-B11B-4078-AEF1-F070E8577297} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4108 chrome.exe
4108 chrome.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4208 MicrosoftEdgeCP.exe
4208 MicrosoftEdgeCP.exe
4208 MicrosoftEdgeCP.exe
4208 MicrosoftEdgeCP.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

4108 chrome.exe
4108 chrome.exe
4108 chrome.exe
4108 chrome.exe
4108 chrome.exe
4108 chrome.exe
4108 chrome.exe

pid	process
4208	MicrosoftEdgeCP.exe
4208	MicrosoftEdgeCP.exe
4208	MicrosoftEdgeCP.exe
4208	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4252	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4252	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4252	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4252	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2504	MicrosoftEdge.exe
Token: SeDebugPrivilege	2504	MicrosoftEdge.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

2504 MicrosoftEdge.exe
4208 MicrosoftEdgeCP.exe
4252 MicrosoftEdgeCP.exe
4208 MicrosoftEdgeCP.exe

pid	process
2504	MicrosoftEdge.exe
4208	MicrosoftEdgeCP.exe
4252	MicrosoftEdgeCP.exe
4208	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MicrosoftEdgeCP.exechrome.exe

description	pid	process	target process
PID 4208 wrote to memory of 3496	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 3496	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 3496	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 3496	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 3496	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 3496	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 3496	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 3496	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 3496	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 3496	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4108 wrote to memory of 3560	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3560	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 4672	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 1000	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 1000	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe
PID 4108 wrote to memory of 3852	4108	chrome.exe	chrome.exe

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://www.google.co.uk/?safe=active&ssui=on"
1⤵
PID:4424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff89bc9758,0x7fff89bc9768,0x7fff89bc9778
2⤵
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:2
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:8
2⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:8
2⤵
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:1
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:1
2⤵
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4440 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:1
2⤵
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:8
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:8
2⤵
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:8
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:8
2⤵
PID:3292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4952 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:1
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4656 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:1
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:8
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=976 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:8
2⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:8
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4388 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:1
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2992 --field-trial-handle=1868,i,2038323641559353108,8862963092426193285,131072 /prefetch:1
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1568

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fe37668596b31e3a0cba58459f2b75b9

SHA1
9a03da51b7ec4189e11177382cafb473afb3aa48

SHA256
39b35b7603129d9e5efb56d19a2b5d931d8dc175a66acf240240c1a5df5c2d7d

SHA512
c6ac0934610ac0f12212f392468e7684f89cd6e3f4bfee970a43d18773cb31ab551cae8dea25fdcefade6ad351cd288761794a5c547d6f54758b54ebbe2c91e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ab174350e6ab45d86257d577b9ad5700

SHA1
3d39d8db0ea2a6465ca7d90858fee06e46fc3541

SHA256
584e8b1e949e5f966cb79a2091888ee47a26cc91b0149e5b99bc1a4711407579

SHA512
3ae31f424ccea99dcfa58f5e6adfa150f12179cb9157fc189c1e2c40d67346fe590a991289a21710547110282a3fb629f490a08d2fa935b7d4be27963ad42f0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
44a143a46004e3838d2b6262b4149c02

SHA1
75427877bdf118695c3af09fef53f242645be798

SHA256
50ff3627e3e898144ebde22bf3ac98c15836ed0b7056d4b3836f519c45effb6c

SHA512
665169861e17486e2d1fa62a943bfcdc779084d59f45dfc6d832f164701196d0708e85c3cd7ee6cb036ce7f34131f86d10c9565420cecff20b590ac33a0decb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c8e096fe16844d05932f23547a0805d0

SHA1
61a44d3afbee600c665588a4f846e349bb17a57e

SHA256
f9b89420c1178243dcfd2049c249a770fa9a3a478fe16eedd22503d8703a64e2

SHA512
9b1f8ea39bfef9dcb3047d3dd15022ac797e410839b1aa1569580d877d983376521fa1a867d9062865b32f6a89884ba3c60197cac3990649309b528c554dfb37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
feece21835642bdf4bc4e382d6d912e8

SHA1
a86a30390059fd8225b69fd9113ed6188d57345a

SHA256
eee6d60a88c080ef822a837c9d0e4ed67d857f748532f591989c86ca6259f374

SHA512
2968d6488fedad60b44368f820fd4bdf87ff086ab96cb6e3021821d0c6f7abc95e9a1a3818c64b038d4cac6a535b7b625c7eab064b835f045bea658ccc0f40f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1bbf7c5daba9a7ff7d93d78c55a603fc

SHA1
f29b526c3e48c0ace773337958e81b4354c89cdf

SHA256
957921180c14f72a5777a421780dc0330aae5bc214d3e33c257f9c079b369802

SHA512
9cf0488510c496f6bae91addff7108563194cb6e528f0a1dd0bc5803e75891be7dbbedba9c212dd52be8dfebdd97c7a4dabd1d6e00f2f3a06d58e4de4daad548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4d208854d3a432c5f6ca9a22a40dd029

SHA1
2058001990bd4971832fc2e1e8638104bb26bb96

SHA256
4261c29b3d9bcf2af8cc636bdde980c7644b4fe80ddfe9fa127809d46050a306

SHA512
ecf8eaeeb3f48f2a981f8b7e73fbc6fc090abb5627abb790a4821444730ad096019d600fccfe8e8381d8a942aba03f4672ec48c8d8e813a064da258a1a08edd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
345963cafa77e80537ff96526efb0629

SHA1
711820bc430aca3ee7f77e2370bbdfb00fc96db3

SHA256
f3c139feff199f683a836a595d87bc602e8f8392f1a5c31e13da5c37691adc50

SHA512
cf3bfc84c26016253d265212a25df02336bd4271473ca11022aff69eb966b335630daceee8b272be91e682ddeb99a39416faacded16210c3e981fd1dc0230cb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
005b83805dc642dc6ebd166d5e39803c

SHA1
9164c1d76ef93bfc74302b7ca9aca1faeb3ccd2b

SHA256
d1d246ef4a307176fb1ffc76ccf646937748a1bdddb5e411d6b7e11c36bca78c

SHA512
ef5785e0b2935f8e34320b17c35db5106928e9e5a14d7f4b84185c4f446fe49e6c2c415fdc4bf0752417be473fe494ce8b1b7d77c2a190ed3aed4b10bf10243b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
18c5ff40d30e8c313718c0e1d4dd86d0

SHA1
ce10a7e4210765354dbc7d024578714969e8db87

SHA256
6e24d4be0a7e8488da0b1e3462e3bd6bbcf6438e44fddb8f15ba4bbe31637900

SHA512
355a2c8ee6ada3cbc1796135bd82653136945536c161dd929b2f751834c64e3c50d17bba0fd4395c5f4d04e50be52d6da0123ff4adefa0d8631b8d1019e75111

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c782ed4861876e1adf432ad6085b35e7

SHA1
443365a805dab6034580774287e8e5a1feab8b1f

SHA256
3dc39ee68e04825675b1b74fce133dc8f48768e7f6238bff4644353c6b1a6415

SHA512
6ac38e231a040d5f58f6edaf82d592d9ac920a199610cc0aeeab4b176ef26a661f1fcddd9fe952cf7d524620c8e2efab54de5ac2e2631959cab1f3ce8bd39957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dbf37a9f6d280ef0ea46fdb9c25afa1a

SHA1
51bbc3f9ccc46db11d7d5e0eb6a74bdb2f7bfffd

SHA256
699251f5a5664e81da36206ae0b766aef030361c91a092227c3944758fe4b980

SHA512
41c7ef9443ac55aa979ca0a677900b731940fe8fa81b3577d62d287491a6ea497f0c6025a2d0dd07ab08875b846b48a66505e370f81b33c258600d0917ddac31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
aa1232fe3942593833c8bdcc849830eb

SHA1
59327ae3bc8d9004128840061f49920af9bbd010

SHA256
3b6fc22766a5633a33ec77e2a21170125c06ffb1288d52bf5ea8e8a9c2b4d54a

SHA512
6be1ac5a9f108e400f25d0ebed2d1a5bacc321b16a44a08e4ad22d25adb7bc1ec0a40ec09c2ee59f7836e5b75614c0c1d2098c93e57842470bc536113307b155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ca972cd8c3a0cf58e1fc8208b4037646

SHA1
3e90df67a4dca5c4f4f259c6adeb7b3fb98e8933

SHA256
74c31ca1ea6b3dfff7d15670066643e4b0ef83f462420d8c75da237cbe28db4e

SHA512
9f52eba024206b3e66a59d44e4b4e88020e6039339bb54b720a0505ab9c48dba1ca43270bc0bfa49377b12356e7447c269c1ac226a63470a7672df5e8cf1da9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cf0c41b18cd183f70d0d22eae615d776

SHA1
26501be9fe8b2cb98f05ebf2745af523206ae23d

SHA256
1e0136892cb09cd0b52826a0e6fc4897e327c12e30ef0614b8dca40b692a96b9

SHA512
6f8545e9a9769fe4dfbe05e7a14dae7eb1c90a873445bcb2304e78bdc113a9f3f247de0fac0cf150c6f1e525ec323190fda73afc210ba38cae6697245239c107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
26e91430f9a125534e39cffd6c935e61

SHA1
d9e47cf8c5a58be0f29bbdd700fa5ba3a1662a08

SHA256
49340ee6c8ccd354c6fcee3009c5ab08e0eff3ee7f181f11be941102ef9e6921

SHA512
98c498936c8777650ac435931f822520e06462924b44bcd4930fcfbe574a05ff520e011a5e6bf9a597f57e715e58c6f95ef8e527e718bc669e12f09f880e727b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
286KB

MD5
7fed058e16280805b2ca1497f762e201

SHA1
43956612111863ef9e80b94a1898087fb89c5486

SHA256
1caebdfa890315cc75f84157b507ea0d594c76be8c36545bf3b8c351ec865265

SHA512
7e3ba922ed338040c9294ca9b078f67124e5d15944162ba97e28ec68785c8aa9fe9a57841368b00ba59366b3e15292bd255f9c814df505f88a2453235f3e86ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
286KB

MD5
f031a57569480241b655478fb1069d0f

SHA1
16f31e37a3729f45ed91ae7b57895cac5be8509c

SHA256
9d6f6416898d31810aef271144ffe680ebd7ff7ec156d301c5f71a45711f9375

SHA512
d52fcc4b37924e383a4785634d66181157874eb6770938f877f796b8184704e93b61c7fd396f875dd9ea51c0d633747bb95773fd9536ecb7b2afea5b44ffeebe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
26aea4a1f3abdcf5dc23510c763273b6

SHA1
a631b9418e800ce55ccc76badcf34d8ef70f553d

SHA256
4e8eb5c6a05e8f6a04efe3d3ec136351ea284e7202f231e9301ecb92e19be912

SHA512
b2f6c1bd1532979e772962bd7b481c9a11914af5ae620373f7d5cb4edc60f1fc7720a2ad48bb2c67e888593736d220790872ce4d0bffc990418fa41f6feab86d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
99577b32416364fb6514e43befaf3bab

SHA1
f190e6197eab52f689aa0ffa5553efc2c48816e2

SHA256
8cb2de85f08651059d1f24db127e1cd1342fc2ceebfda7e979a9e21952005a4b

SHA512
9a366cda500febc2b37d223662beba9f0f4a4ee3ff67d16290a5271e328c7e8ac0af02760d7e466d9de24b8f3a433bcc8c060d2bbb10122bc293224b35e728a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58310e.TMP

Filesize
92KB

MD5
597317703af68e7d3ae08cf00df5cc1c

SHA1
e1ddd754639190076ddc477722184aaccee33e3c

SHA256
7d9052b8b19a89b51fb66496dd7861903336492ab7ff0280da02d38b775c56ae

SHA512
e4308370e86e76a5434d244e1b2dcd6011a43e22eb8c8190dd8f16d76aca930b7ff27face54a42984658aaa944c6bdca282ca8dc49477f5cd4412aa86865e9a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\3WNUAE56\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
\??\pipe\crashpad_4108_LMRXSQMDKSDSNFBW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2504-16-0x0000026546920000-0x0000026546930000-memory.dmp

Filesize
64KB

Download
memory/2504-248-0x0000026543CA0000-0x0000026543CA1000-memory.dmp

Filesize
4KB

Download
memory/2504-252-0x0000026543C60000-0x0000026543C61000-memory.dmp

Filesize
4KB

Download
memory/2504-245-0x0000026543D00000-0x0000026543D02000-memory.dmp

Filesize
8KB

Download
memory/2504-168-0x000002654D780000-0x000002654D781000-memory.dmp

Filesize
4KB

Download
memory/2504-167-0x000002654D770000-0x000002654D771000-memory.dmp

Filesize
4KB

Download
memory/2504-0-0x0000026546820000-0x0000026546830000-memory.dmp

Filesize
64KB

Download
memory/2504-35-0x0000026543C70000-0x0000026543C72000-memory.dmp

Filesize
8KB

Download
memory/3496-83-0x000001591C6C0000-0x000001591C6E0000-memory.dmp

Filesize
128KB

Download
memory/3496-68-0x00000151091E0000-0x00000151092E0000-memory.dmp

Filesize
1024KB

Download
memory/3496-97-0x000001591C020000-0x000001591C022000-memory.dmp

Filesize
8KB

Download
memory/3496-89-0x000001591B3D0000-0x000001591B3D2000-memory.dmp

Filesize
8KB

Download
memory/3496-91-0x000001591BC70000-0x000001591BC72000-memory.dmp

Filesize
8KB

Download
memory/3496-93-0x000001591BC80000-0x000001591BC82000-memory.dmp

Filesize
8KB

Download
memory/3496-95-0x000001591BF00000-0x000001591BF02000-memory.dmp

Filesize
8KB

Download
memory/3496-99-0x000001591C1E0000-0x000001591C1E2000-memory.dmp

Filesize
8KB

Download
memory/3496-71-0x000001591BA00000-0x000001591BA02000-memory.dmp

Filesize
8KB

Download
memory/3496-73-0x000001591BA20000-0x000001591BA22000-memory.dmp

Filesize
8KB

Download
memory/3496-75-0x000001591BA40000-0x000001591BA42000-memory.dmp

Filesize
8KB

Download
memory/3496-63-0x000001590B100000-0x000001590B200000-memory.dmp

Filesize
1024KB

Download
memory/3496-135-0x000001591C3D0000-0x000001591C3D2000-memory.dmp

Filesize
8KB

Download
memory/3496-104-0x000001591EC60000-0x000001591EC80000-memory.dmp

Filesize
128KB

Download
memory/4252-45-0x0000021B9E900000-0x0000021B9EA00000-memory.dmp

Filesize
1024KB

Download